Here is my monthly update covering what I have been doing in the free software world during March 2018 (previous month):
- I was honoured to be elected to the board of the Open Source Initiative, a non-profit organisation dedicated to promoting open-source software. As part of this appointment I will be naturally be representing Debian's interests and also using my experience as the Project's leader to help the free software community in general.
- My activities as the incumbent Debian Project Leader are covered in my "Bits from the DPL" post to the debian-devel-announce mailing list.
- Attended the Free Software Foundation's LibrePlanet 2018 conference in Boston, MA, the 16th Southern California Linux Expo ("SCALE") in Pasadena, CA and also presented on Reproducible Builds at the New York Linux Users Group.
- Sent a pull request for the Django web-development framework to emit (actual errors: none) instead of (actual errors:) when checking form errors. [...]
- Resubmitted my patch for the FreezeGun time-delated Python testing utility to add support for Python datetime.timedelta instances. [...]
- Filed five upstream patches to make their build or output reproducible for the Rollup.js ES6 module bundler [...], the Meson build system [...], the gnocchi timeseries database [...], the "Nova" component of OpenStack [...] and the "preable" Javascript packaging utility [...].
- Merged a pull request for my custom "panel" in the Django Debug toolbar for quickly switching between users. [...]
- Even more hacking on the Lintian static analysis tool for Debian packages:
- New features:
- Warn about packages that have either have a dependency on default-mta but do not specify mail-transport-agent, have a mail-transport-agent dependency but do not specify default-mta and ones that do not specify default-mta first in their alternatives. (#892143)
- Warn about packages that have a relationship with a mail-transport-agent but do not specify default-mta and mail-transport-agent as alternatives. (#892144)
- Emit a warning if a package uses the deprecated "port 21"-based FTP download location. (#892249)
- Add pedantic warnings for upstream tarballs containing empty directories. (#894368)
- Bug fixes:
- Avoid false positives in spelling detection by allowing "(s)" suffixes. (#894077)
- Add .ogg files to the list of non-license file extensions to avoid a false-positive in extra-license-file. (#894139)
- Only emit source-contains-prebuilt-java-object reported for .jar files that contain classes. (#789802)
- Look under all of /usr/share/doc (not just /usr/share/doc/$pkg) when looking for installed examples. (#892905)
- Strip "\par" elements from files prior to license checks to avoid false-positives in .rtf files. (#892967)
- Refresh all debhelper data, correcting the entry for dh-scour. (#889016)
- Don't emit unnecessary-source-date-epoch-assignment if package Build-Depends on dpkg-dev (>= 1.18.8) or debhelper (>= 10.10). (#892549)
- Only check dependency fields in binary packages for mail-transport-agent-dependency-does-not-specify-default-mta etc. (#892550)
- Don't emit orig-tarball-missing-upstream-signature when the package provides a foo.tar.asc for a foo.tar.gz, not just foo.tar.gz.asc. (#892255)
- Ignore entries that end with ":" to avoid false-positives in debian-changelog-line-too-short. (#892197)
- Apply a patch to bump the maximum permissible bytecode version number and description now that Java 9 is now the default-jdk. (#894397, #894397)
- Drop the wil → will spelling correction as Wil is a common name in the Netherlands. (#891935)
- Misc:
- Upgrade vcs-deprecated-in-debian-infrastructure to W: from P: due to Alioth becoming read-only from May 1st. (#886096)
- Drop apache2-module-depends-on-real-apache2-package as there are separate tags for missing apache2-api-* dependencies. (#796285)
- Documentation:
- Correct the location of the AutomaticDebugPackages wiki page in the description of debian-control-has-obsolete-dbg-package. (#893480)
- Clarify the meaning of depends-on-build-essential-package-without-using-version. (#892597)
- New features:
- Lastly, I filed three upstream wishlist issues for:
- Julien Danjou's daiquiri Python logging library, requesting a cleaner method to override the default formatting. [...]
- The TypeTandem collaborative text-editor to request its license becomes DFSG-complaint. [...]
- The Graph module for the Redis key-value database to request they make official releases. [...]
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month I:
- Filed upstream pull requests for rollup.js, Meson, Gnocchi, Nova and preamble.
- Presented on the topic at:
- The 16th Southern California Linux Expo ("SCALE") in Pasadena, CA.
- The New York Linux Users Group. (Thanks to Two Sigma for hosting the event)
- The Free Software Foundation's LibrePlanet 2018 in Boston, MA.
- In Debian:
- Kept isdebianreproducibleyet.com up to date. [...]
- Moved some Git repositories to salsa.debian.org.
- Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- I also submitted 11 patches to fix specific reproducibility issues in codespell, gexiv2, gnocchi, kronosnet, lexicon, node-rollup, nova, python-diskimage-builder, python-fisx, rpyc & yt.
- Created a patch for our testing framework to save the JSON output from diffoscope to make automatic categorisation easier. (#892712)
- Applied a patch by Gianfranco Costamagna to our strip-nondeterminism tool that removes non-deterministic results from a completed build to fix the testsuite. (#894391)
- I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:
- New features:
- Bug fixes:
- Reset the permissions of temporary directories prior to deletion to ensure that non-writable permissions such as 0555 are removed. (#891363)
- Support installations where the python3-xattr package is installed but python3-pyxattr is not. (#892240)
- Update terminology used in the documentation regarding exclusion options. (#893324)
- Update the Java tests for openjdk-9. (#893183)
- Misc:
- Don't show the progress bar if we specified --debug. [...]
- Print a message if you only specify one file to compare. [...]
- Use our bin/diffoscope wrapper in manpage generation to ensure we are using the local version. [...]
- Clarify in the documentation that that the Reproducible Builds project is not just about Debian (!). [...]
- Large number of small code cleanups (dropping unused imports, variable names, indentation, etc.)
- Worked on publishing our weekly reports (#149, #150, #151 & #152) and requested that they get included in future editions of Linux Weekly News.
- Categorised a large number of packages and issues in the "notes.git" repository.
Debian
Debian LTS
This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, reviewing other maintainers' packages, etc.
- Issued DLA 1299-1 fixing an XML External Entity (XXE) attack in the JGraphX diagramming library.
- Issued DLA 1304-1 for zsh to fix four vulnerabilities, including a privilege-elevation issue.
- Issued DLA 1306-1 for the libvips image processing library where attackers could cause a remote denial of service.
- Issued DLA 1311-1 for the adminer web-based database administration tool. I also updated jessie-backports and proposed updates for stretch (#893803) and jessie (#893804).
- Issued DLA 1317-1 for the net-snmp server management framework to correct a heap corruption vulnerability.
- Issued DLA 1318-1 for irssi closing an issue where nicknames could result in out-of-bounds access.
Uploads
- python-django (2.0.3-1 & 1.11.11-1) — New upstream security releases.
- libfiu:
- redisearch (1.0.9-1) — New upstream release.
Debian bugs filed
- postgresql-10: Please update NEWS entry for 10.3-1. (#891898)
- python-meshio: Installs test files to /usr/lib/python3/dist-packages. (#892019)
- clang-tidy-7: Missing depends on libclang-common-7-dev. (#891999)
- lintian: Warn about "old" X-Python3-Version fields? (#892304)
- todoman: Bogus description in manpage. (#892381)
FTP Team
As a Debian FTP assistant I ACCEPTed 53 packages: akonadi, akonadi-calendar, arch-install-scripts, beets, calligraplan, cenon.app, cross-toolchain-base-ports, dcontainers, debiman, deepin-movie-reborn, deepin-screenshot, deepin-terminal, dput-ng, dump1090-mutability, fonts-ubuntu, gcc-7-cross, gcc-8-cross, gnome-themes-extra, iotjs, isl, isl-0.18, ksmtp, ldc, ledger-wallets-udev, lexicon, libmath-random-secure-perl, libtgvoip, linux, magic-wormhole-transit-relay, mailman-suite, mailman3, mustache-d, node-split-string, nvidia-cuda-toolkit, nvidia-graphics-drivers, python-memoize, python-orderedattrdict, python-requests-ntlm, python-test-server, python-wsproto, pyzabbix, r-cran-pbmcapply, r-cran-spdata, r-cran-squarem, r-cran-zeligchoice, ruby-batch-loader, ruby-commonmarker, ruby-enum, ruby-fast-blank, social-auth-core, stdx-allocator, tldextract & xorgproto.
I additionally filed 6 RC bugs against packages that had incomplete debian/copyright files against: cenon.app, gnome-themes-extra, isl, isl-0.18, libtgvoip & python-wsproto.